A method, system, and program storage device for establishing security and
authorization policies for users accessing a software application,
wherein the method comprises generating at least one application object
group from an application object description document comprising an XML
format run on a data processor; creating an authorization policy for each
application object; sending a selected application object group to an
access controller; and establishing access control parameters at a time
of deployment of the software application for users attempting to access
the selected application object group based on the authorization policy.
The method further comprises specifying environmental variables for the
authorization policy; changing the authorization policy by modifying a
declarative specification of the environmental variables and modifying
constraints defined on attributes of an application object; implementing
varied classes of authorization policies using a same authorization
policy classifier; and specifying the application object group using
grouping parameters.